1 files changed, 195 insertions, 0 deletions
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
new file mode 100644
index 000000000..0a2b1c58d
--- /dev/null
+++ b/debian/patches/debian-config.patch
@@ -0,0 +1,195 @@
+From 966fde291d530349c427da5c98e4f1869cb4e0bb Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Sun, 9 Feb 2014 16:10:18 +0000
+Subject: Various Debian-specific configuration changes
+ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
+fewer problems with existing setups (http://bugs.debian.org/237021).
+ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
+ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
+worms.
+ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by
+default.
+Document all of this, along with several sshd defaults set in
+debian/openssh-server.postinst.
+Author: Russ Allbery <rra@debian.org>
+Forwarded: not-needed
+Last-Update: 2015-12-07
+Patch-Name: debian-config.patch
+---
+ readconf.c    |  2 +-
+ ssh.1         | 21 +++++++++++++++++++++
+ ssh_config    |  7 ++++++-
+ ssh_config.5  | 19 ++++++++++++++++++-
+ sshd_config   |  2 +-
+ sshd_config.5 | 25 +++++++++++++++++++++++++
+ 6 files changed, 72 insertions(+), 4 deletions(-)
+diff --git a/readconf.c b/readconf.c
+index c0ba5a7..e4e1cba 100644
+--- a/readconf.c
+++ b/readconf.c
+@@ -1749,7 +1749,7 @@ fill_default_options(Options * options)
+        if (options->forward_x11 == -1)
+                options->forward_x11 = 0;
+        if (options->forward_x11_trusted == -1)
+-               options->forward_x11_trusted = 0;
+               options->forward_x11_trusted = 1;
+        if (options->forward_x11_timeout == -1)
+                options->forward_x11_timeout = 1200;
+        if (options->exit_on_forward_failure == -1)
+diff --git a/ssh.1 b/ssh.1
+index 05b7f10..649d6c3 100644
+--- a/ssh.1
+++ b/ssh.1
+@@ -755,6 +755,16 @@ directive in
+ .Xr ssh_config 5
+ for more information.
+ .Pp
+(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
+restrictions by default, because too many programs currently crash in this
+mode.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+.Pp
+ .It Fl x
+ Disables X11 forwarding.
+ .Pp
+@@ -763,6 +773,17 @@ Enables trusted X11 forwarding.
+ Trusted X11 forwardings are not subjected to the X11 SECURITY extension
+ controls.
+ .Pp
+(Debian-specific: This option does nothing in the default configuration: it
+is equivalent to
+.Dq Cm ForwardX11Trusted No yes ,
+which is the default as described above.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+.Pp
+ .It Fl y
+ Send log information using the
+ .Xr syslog 3
+diff --git a/ssh_config b/ssh_config
+index 228e5ab..c9386aa 100644
+--- a/ssh_config
+++ b/ssh_config
+@@ -17,9 +17,10 @@
+ # list of available options, their meanings and defaults, please see the
+ # ssh_config(5) man page.
+ 
+-# Host *
+Host *
+ #   ForwardAgent no
+ #   ForwardX11 no
+#   ForwardX11Trusted yes
+ #   RhostsRSAAuthentication no
+ #   RSAAuthentication yes
+ #   PasswordAuthentication yes
+@@ -48,3 +49,7 @@
+ #   VisualHostKey no
+ #   ProxyCommand ssh -q -W %h:%p gateway.example.com
+ #   RekeyLimit 1G 1h
+    SendEnv LANG LC_*
+    HashKnownHosts yes
+    GSSAPIAuthentication yes
+    GSSAPIDelegateCredentials no
+diff --git a/ssh_config.5 b/ssh_config.5
+index d4928b8..81b9b74 100644
+--- a/ssh_config.5
+++ b/ssh_config.5
+@@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more
+ host-specific declarations should be given near the beginning of the
+ file, and general defaults at the end.
+ .Pp
+Note that the Debian
+.Ic openssh-client
+package sets several options as standard in
+.Pa /etc/ssh/ssh_config
+which are not the default in
+.Xr ssh 1 :
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm SendEnv No LANG LC_*
+.It
+.Cm HashKnownHosts No yes
+.It
+.Cm GSSAPIAuthentication No yes
+.El
+.Pp
+ The configuration file has the following format:
+ .Pp
+ Empty lines and lines starting with
+@@ -721,7 +737,8 @@ token used for the session will be set to expire after 20 minutes.
+ Remote clients will be refused access after this time.
+ .Pp
+ The default is
+-.Dq no .
+.Dq yes
+(Debian-specific).
+ .Pp
+ See the X11 SECURITY extension specification for full details on
+ the restrictions imposed on untrusted clients.
+diff --git a/sshd_config b/sshd_config
+index 64786c9..d8338db 100644
+--- a/sshd_config
+++ b/sshd_config
+@@ -125,7 +125,7 @@ UsePrivilegeSeparation sandbox              # Default for new installations.
+ #Banner none
+ 
+ # override default of no subsystems
+-Subsystem      sftp    /usr/libexec/sftp-server
+Subsystem      sftp    /usr/lib/openssh/sftp-server
+ 
+ # Example of overriding settings on a per-user basis
+ #Match User anoncvs
+diff --git a/sshd_config.5 b/sshd_config.5
+index 0828592..0be7250 100644
+--- a/sshd_config.5
+++ b/sshd_config.5
+@@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes
+ .Pq \&"
+ in order to represent arguments containing spaces.
+ .Pp
+Note that the Debian
+.Ic openssh-server
+package sets several options as standard in
+.Pa /etc/ssh/sshd_config
+which are not the default in
+.Xr sshd 8 .
+The exact list depends on whether the package was installed fresh or
+upgraded from various possible previous versions, but includes at least the
+following:
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm ChallengeResponseAuthentication No no
+.It
+.Cm X11Forwarding No yes
+.It
+.Cm PrintMotd No no
+.It
+.Cm AcceptEnv No LANG LC_*
+.It
+.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
+.It
+.Cm UsePAM No yes
+.El
+.Pp
+ The possible
+ keywords and their meanings are as follows (note that
+ keywords are case-insensitive and arguments are case-sensitive):

diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch new file mode 100644 index 000000000..0a2b1c58d --- /dev/null +++ b/debian/patches/debian-config.patch
@@ -0,0 +1,195 @@
	1	From 966fde291d530349c427da5c98e4f1869cb4e0bb Mon Sep 17 00:00:00 2001
	2	From: Colin Watson <cjwatson@debian.org>
	3	Date: Sun, 9 Feb 2014 16:10:18 +0000
	4	Subject: Various Debian-specific configuration changes
	5
	6	ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
	7	fewer problems with existing setups (http://bugs.debian.org/237021).
	8
	9	ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
	10
	11	ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
	12	worms.
	13
	14	ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by
	15	default.
	16
	17	Document all of this, along with several sshd defaults set in
	18	debian/openssh-server.postinst.
	19
	20	Author: Russ Allbery <rra@debian.org>
	21	Forwarded: not-needed
	22	Last-Update: 2015-12-07
	23
	24	Patch-Name: debian-config.patch
	25	---
	26	readconf.c \| 2 +-
	27	ssh.1 \| 21 +++++++++++++++++++++
	28	ssh_config \| 7 ++++++-
	29	ssh_config.5 \| 19 ++++++++++++++++++-
	30	sshd_config \| 2 +-
	31	sshd_config.5 \| 25 +++++++++++++++++++++++++
	32	6 files changed, 72 insertions(+), 4 deletions(-)
	33
	34	diff --git a/readconf.c b/readconf.c
	35	index c0ba5a7..e4e1cba 100644
	36	--- a/readconf.c
	37	+++ b/readconf.c
	38	@@ -1749,7 +1749,7 @@ fill_default_options(Options * options)
	39	if (options->forward_x11 == -1)
	40	options->forward_x11 = 0;
	41	if (options->forward_x11_trusted == -1)
	42	- options->forward_x11_trusted = 0;
	43	+ options->forward_x11_trusted = 1;
	44	if (options->forward_x11_timeout == -1)
	45	options->forward_x11_timeout = 1200;
	46	if (options->exit_on_forward_failure == -1)
	47	diff --git a/ssh.1 b/ssh.1
	48	index 05b7f10..649d6c3 100644
	49	--- a/ssh.1
	50	+++ b/ssh.1
	51	@@ -755,6 +755,16 @@ directive in
	52	.Xr ssh_config 5
	53	for more information.
	54	.Pp
	55	+(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
	56	+restrictions by default, because too many programs currently crash in this
	57	+mode.
	58	+Set the
	59	+.Cm ForwardX11Trusted
	60	+option to
	61	+.Dq no
	62	+to restore the upstream behaviour.
	63	+This may change in future depending on client-side improvements.)
	64	+.Pp
	65	.It Fl x
	66	Disables X11 forwarding.
	67	.Pp
	68	@@ -763,6 +773,17 @@ Enables trusted X11 forwarding.
	69	Trusted X11 forwardings are not subjected to the X11 SECURITY extension
	70	controls.
	71	.Pp
	72	+(Debian-specific: This option does nothing in the default configuration: it
	73	+is equivalent to
	74	+.Dq Cm ForwardX11Trusted No yes ,
	75	+which is the default as described above.
	76	+Set the
	77	+.Cm ForwardX11Trusted
	78	+option to
	79	+.Dq no
	80	+to restore the upstream behaviour.
	81	+This may change in future depending on client-side improvements.)
	82	+.Pp
	83	.It Fl y
	84	Send log information using the
	85	.Xr syslog 3
	86	diff --git a/ssh_config b/ssh_config
	87	index 228e5ab..c9386aa 100644
	88	--- a/ssh_config
	89	+++ b/ssh_config
	90	@@ -17,9 +17,10 @@
	91	# list of available options, their meanings and defaults, please see the
	92	# ssh_config(5) man page.
	93
	94	-# Host *
	95	+Host *
	96	# ForwardAgent no
	97	# ForwardX11 no
	98	+# ForwardX11Trusted yes
	99	# RhostsRSAAuthentication no
	100	# RSAAuthentication yes
	101	# PasswordAuthentication yes
	102	@@ -48,3 +49,7 @@
	103	# VisualHostKey no
	104	# ProxyCommand ssh -q -W %h:%p gateway.example.com
	105	# RekeyLimit 1G 1h
	106	+ SendEnv LANG LC_*
	107	+ HashKnownHosts yes
	108	+ GSSAPIAuthentication yes
	109	+ GSSAPIDelegateCredentials no
	110	diff --git a/ssh_config.5 b/ssh_config.5
	111	index d4928b8..81b9b74 100644
	112	--- a/ssh_config.5
	113	+++ b/ssh_config.5
	114	@@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more
	115	host-specific declarations should be given near the beginning of the
	116	file, and general defaults at the end.
	117	.Pp
	118	+Note that the Debian
	119	+.Ic openssh-client
	120	+package sets several options as standard in
	121	+.Pa /etc/ssh/ssh_config
	122	+which are not the default in
	123	+.Xr ssh 1 :
	124	+.Pp
	125	+.Bl -bullet -offset indent -compact
	126	+.It
	127	+.Cm SendEnv No LANG LC_*
	128	+.It
	129	+.Cm HashKnownHosts No yes
	130	+.It
	131	+.Cm GSSAPIAuthentication No yes
	132	+.El
	133	+.Pp
	134	The configuration file has the following format:
	135	.Pp
	136	Empty lines and lines starting with
	137	@@ -721,7 +737,8 @@ token used for the session will be set to expire after 20 minutes.
	138	Remote clients will be refused access after this time.
	139	.Pp
	140	The default is
	141	-.Dq no .
	142	+.Dq yes
	143	+(Debian-specific).
	144	.Pp
	145	See the X11 SECURITY extension specification for full details on
	146	the restrictions imposed on untrusted clients.
	147	diff --git a/sshd_config b/sshd_config
	148	index 64786c9..d8338db 100644
	149	--- a/sshd_config
	150	+++ b/sshd_config
	151	@@ -125,7 +125,7 @@ UsePrivilegeSeparation sandbox # Default for new installations.
	152	#Banner none
	153
	154	# override default of no subsystems
	155	-Subsystem sftp /usr/libexec/sftp-server
	156	+Subsystem sftp /usr/lib/openssh/sftp-server
	157
	158	# Example of overriding settings on a per-user basis
	159	#Match User anoncvs
	160	diff --git a/sshd_config.5 b/sshd_config.5
	161	index 0828592..0be7250 100644
	162	--- a/sshd_config.5
	163	+++ b/sshd_config.5
	164	@@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes
	165	.Pq \&"
	166	in order to represent arguments containing spaces.
	167	.Pp
	168	+Note that the Debian
	169	+.Ic openssh-server
	170	+package sets several options as standard in
	171	+.Pa /etc/ssh/sshd_config
	172	+which are not the default in
	173	+.Xr sshd 8 .
	174	+The exact list depends on whether the package was installed fresh or
	175	+upgraded from various possible previous versions, but includes at least the
	176	+following:
	177	+.Pp
	178	+.Bl -bullet -offset indent -compact
	179	+.It
	180	+.Cm ChallengeResponseAuthentication No no
	181	+.It
	182	+.Cm X11Forwarding No yes
	183	+.It
	184	+.Cm PrintMotd No no
	185	+.It
	186	+.Cm AcceptEnv No LANG LC_*
	187	+.It
	188	+.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
	189	+.It
	190	+.Cm UsePAM No yes
	191	+.El
	192	+.Pp
	193	The possible
	194	keywords and their meanings are as follows (note that
	195	keywords are case-insensitive and arguments are case-sensitive):